Re: pkg_admin audit shows vulns for openssl-1.0.2i

To: Benny Siegert <bsiegert%gmail.com@localhost>
Subject: Re: pkg_admin audit shows vulns for openssl-1.0.2i
From: Matthias Ferdinand <mf+ml.pkgsrc-users%netzwerkagentursaarland.de@localhost>
Date: Thu, 29 Sep 2016 16:14:43 +0200

On Mon, Sep 26, 2016 at 05:35:10PM +0000, Benny Siegert wrote:
> I fixed this the other day. I suspect the script which uploads the file to
> FTP has not run yet.

Hi, could you please check again? 

    Package openssl-1.0.2j has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2177
    Package openssl-1.0.2j has a side-channel vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2178
    Package openssl-1.0.2j has a denial-of-service vulnerability, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2180

Or are these still open in 1.0.2j?

Regards
Matthias


> 
> Matthias Ferdinand <mf+ml.pkgsrc-users%netzwerkagentursaarland.de@localhost> schrieb
> am Mo., 26. Sep. 2016, 17:46:
> 
> > Hi,
> >
> > the command sequence
> >
> >     pkg_admin fetch-pkg-vulnerabilities
> >     pkg_admin audit
> >
> > still shows these vulnerabilities for the recently updated
> > openssl-1.0.2i:
> >
> >     Package openssl-1.0.2i has a denial-of-service vulnerability, see
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2177
> >     Package openssl-1.0.2i has a side-channel vulnerability, see
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2178
> >     Package openssl-1.0.2i has a denial-of-service vulnerability, see
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2180
> >     Package openssl-1.0.2i has a denial-of-service vulnerability, see
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2179
> >     Package openssl-1.0.2i has a denial-of-service vulnerability, see
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2181
> >     Package openssl-1.0.2i has a denial-of-service vulnerability, see
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2182
> >     Package openssl-1.0.2i has a denial-of-service vulnerability, see
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6302
> >     Package openssl-1.0.2i has a denial-of-service vulnerability, see
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6303
> >
> > Weren't these vulns supposed to be fixed in 1.0.2i? Perhaps the vuln db
> > needs updating?
> >
> > Regards
> > Matthias

Follow-Ups:
- Re: pkg_admin audit shows vulns for openssl-1.0.2i
  - From: Sevan / Venture37

References:
- pkg_admin audit shows vulns for openssl-1.0.2i
  - From: Matthias Ferdinand
- Re: pkg_admin audit shows vulns for openssl-1.0.2i
  - From: Benny Siegert

Prev by Date: Re: Thoughts on building lang/gcc packages without Java support
Next by Date: Re: lang/php70/patches/patch-ext_standard_php__dns.h
Previous by Thread: Re: pkg_admin audit shows vulns for openssl-1.0.2i
Next by Thread: Re: pkg_admin audit shows vulns for openssl-1.0.2i
Indexes:

Home | Main Index | Thread Index | Old Index